Updated Security Risk Assessment Tool and Senator’s Query to Improve Health Data Privacy

Senator Seeks Information on How to Improve Health Data Privacy

Senator Bill Cassidy (R-LA), who is a member of the U.S. Senate Committee on Health, Education, Labor, and Pensions (HELP), would like to get suggestions on how to improve health data privacy while also encouraging the necessity of clinical research.

In the last couple of years, there is a growing number of new technologies that gather, save, and send health data, which include smart devices, wearable devices, and health and fitness programs. These technologies have made it possible to provide better health care and allow patients to access their medical data, however, the health information gathered, saved, and sent using these technologies mostly are not covered by HIPAA.

Senator Cassidy is requesting responses from stakeholders on how to improve health data privacy, particularly data gathered utilizing technologies that weren’t available in 1996 when HIPAA was legislated, and whether HIPAA must be refreshed and broadened to include protection for data obtained by non-HIPAA-covered entities.

Senator Cassidy created general privacy questions, for instance, what must be regarded as health data and if the term must be applicable only to information regulated by HIPAA if other kinds of health information must be handled differently, and which organizations aren’t presently categorized as HIPAA-covered entities ought to be responsible for handling health information and if they must have an obligation of loyalty to customers/patients.

Senator Cassidy notes that new rules may have implementation difficulties and wants suggestions on how to improve that health information without causing too many problems, like limiting the duty of devotion according to the sensitivity of the gathered information. He likewise wants data from stakeholders regarding the current effectiveness of the HIPAA framework, whether HIPAA must be modified, the problems legislative revisions of HIPAA would cause, and how health information sharing may be organized, considering the present patchwork of legal structures in various states.

Responses is required on biometric information, genetic data, and location information, and if these kinds of data ought to be a part of a new definition of health information, and what the responsibilities must be for gathering and protecting these kinds of information.

Permission ought to be acquired from consumers prior to the collection of health data and data minimization is required to restrict the data gathered to what is reasonably required. Feedback is needed on how to achieve this, how to communicate the data practices to customers if consumers must have the right to request the deletion of non-HIPAA-covered information, and if there ought to be a method for opting in or opting out of data collection for health information not regulated by HIPAA.

Responses are likewise wanted on the problems that were encountered in adhering to the data privacy frameworks that were enforced in 9 states starting 2018, and if any lessons were realized as states have applied these frameworks for regulating health information.

Any new rules or revisions to HIPA*A must be put in place, and that is likewise likely to produce difficulties. Presently, the HHS’ Office for Civil Rights is the primary enforcer of HIPAA and it is working under serious financial limitations and has a big backlog of inspections. The Federal Trade Commission supervises the health information obtained by non-HIPAA-regulated entities and has lately taken steps regarding health data breaches. Recommendations are needed on how to improve HIPAA and new health information rules ought to be enacted, and the function of various agencies must be in enforcement.

Stakeholders can submit their replies on or before September 28, 2023.

Updated Security Risk Assessment Tool Released by OCR and ONC

The HHS’ Office for Civil Rights (OCR) together with the Office of the National Coordinator for Health Information Technology (ONC) have introduced a new version of their Security Risk Assessment (SRA) Tool.

One of the requirements of the HIPAA Security Rule is risk analysis. HIPAA-covered entities must perform a risk analysis to distinguish and evaluate all possible risks and vulnerabilities to the integrity, confidentiality, and availability of electronic protected health information (ePHI). When a detailed and precise company-wide risk analysis is not performed, it is likely that risks and vulnerabilities remain untreated and may be taken advantage of by malicious actors to access ePHI. In spite of its value, a lot of HIPAA-covered entities do not adhere to this requirement as well as the HIPAA Security Rule. Not conducting risk analysis is one of the most frequent HIPAA violations discovered by OCR whenever doing data breaches and HIPAA compliance investigations.

ONC developed the SRA tool as a downloadable desktop program in collaboration with OCR to help small- to medium-sized companies undergo the security risk evaluation process. The tool makes use of multiple choice questionnaires, threat and vulnerability examination, and asset and vendor administration, offers advice and references through the entire process, and produces reports to save and print as soon as the review is finished.

The tool was initially launched in 2014 and has gotten a number of improvements through the years. The most recent version of the tool, version 3.4, consists of a number of new capabilities, such as a remediation report to enable tracking of replies using the tool, a glossary and “Tool Tips” help function, upgraded resources to Health Industry Cybersecurity Practices (HICP) for 2023 Version, and a number of bug fixes and stability improvements.

The tool can be accessed as a Windows Desktop program or an Excel Workbook on the website of HHS.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone